TMs Fag© is Mswrted by WW Mmiii Scmm^ 
Operates m & is _<** pani ©IF Uto© OffieM fcfiwwrd 

BEST AVAILABLE 

Defective images within this document are acowate tqnn**m ef *» mpm 
documents submitted by the applicant. 

Defects in the images include but are not limited to the items cmecked: 

□ BLACK BORDERS 

□ MAGE CUT OFF AT TOP, BOTTOM OR SIDES 

□ FADED TEXT OR DRAWING 

□ BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES- rj 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□ LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: — ■ — 



As rescaniiffig these d^ciimemus 
problems cheeked, please do mot report these problems to 
the IFW Image Problem Mailbox. 







1 


(380/30).CCLS. 


I 


^jou/ ju;.lllo.j ana (aaaptive near cnosen near cipnen.exi near auacK) 


3 


((380/30).CCLS.) and ((adaptive near chosen near ciphertext near 
aicacKj or icornpuiauonai near uime near nenman near assumption 


4 


fujisaki-okamoto 


5 


fujisaki-okamoto F-0 


6 


fujisaki-okamoto F-0 and encryption 


7 


pointcheval 


8 


((adaptive near chosen near ciphertext near attack) or (computational 
near diffie near hellman near assumption)) 



10/07/2004, EAST version: 1.4.1 





T%/np 


Hits 

111 LO 


1 


IS&R 


878 


I 


RDC 
DKj 


Q 


3 


BRS 


8 


4 


BRS 


2 


5 


BRS 


131 


6 


BRS 


2 


7 


BRS 


29 


8 


BRS 


16 



10/07/2004, EAST version: 1.4.1 







Tim a C+amn 
1 line 9 Lamp 


1 


USPAT; US-PGPUB 


2004/10/06 14:12 


2 


1 ICDATi 1 IC D^DI ID 

UbrA 1 , Ub-rorUb 


ZUU4/1U/U0 14.1 j 


3 


USPAT; US-PGPUB 


2004/10/07 15:23 


4 


USPAT; US-PGPUB; EPO; JPO; 

n*CD\A/CMT~« TDM TnD 

UtKWtN 1 , 1dN_ 1 Ub 


2004/10/07 11:16 


5 


USPAT; US-PGPUB; EPO; JPO; 

nCD\A/CMT- TDM THD 

UtKW tN 1 , 1dN — 1 Do 


2004/10/07 11:16 


6 


USPAT; US-PGPUB; EPO; JPO; 

nCD\A/CMT- TDM THD 


2004/10/07 13:21 


7 


USPAT; US-PGPUB; EPO; JPO; 

HFRVA/FNT' TRM THR 


2004/10/07 13:21 


8 


USPAT; US-PGPUB 


2004/10/07 15:24 



10/07/2004, EAST Version: 1.4.1 





corn men ls 


crrur lsci iiiiuuii 


errors 


1 






0 


2 


rcvo run images 




A 

u 


3 


rcvd full images 




0 


4 


rcvd full images 




0 


5 


send ttls 




0 


6 


rcvd full images 




0 


7 


rcvd full images 




0 


8 


rcvd full images 




0 



10/07/2004, EAST Version: 1.4.1 



/Google Search: fujisaki-okamoto encryption Page 1 of 2 

Web Images Groups News Froogle more » 
I fujisaki-okamoto encryption [ pljj 




Web Results 1 - 10 of about 333 for fujisaki-okamoto encryption . (0.60 seconds) 

Citations: EPOC : Ecient probabilistic encryption - Fujisaki ... 

E. Fujisaki, T. Okamoto, and Uchiyama. EPOC : Ecient probabilistic encryption. ... E. 

Fujisaki, T. Okamoto, and Uchiyama. EPOC : Ecient probabilistic encryption. ... 

citeseer.ist.psu.edu/context/1 85301 0/0 - 6k - Supplemental Result - Cached - Similar pages 

Provablv Secure Length-saving Public-Key Encryption Scheme under ... 
... For instance, security of the EIGamal variant of Fujisaki-Okamoto public-key encryption 
scheme and Cramer and Shoup's encryption scheme is based on the 

citeseer.ist.psu.edu/507647.html - 18k - Supplemental Result - Cached - Si m i lar pa ges 
[ More results from citeseer.ist.psu.edu ] 

[pof] Fujisaki-Okamoto Hybrid Encryption Revisited 
File Format: PDF/Adobe Acrobat - View as HTML 

... (will be inserted by the editor) Fujisaki-Okamoto Hybrid Encryption Revisited David 
Galindo, Sebastr a Mart' in, Paz Morillo, Jorge L. Villar Dep. ... 
www-ma4.upc.es/-dgalindo/FOfinallJIS.pdf - Similar p ages 



[pdf] Fujisaki-Okamoto IND-CCA hybrid encryption revisited 1 .„ 
File Format: PDF/Adobe Acrobat - View as HTML 

Page 1. Fujisaki-Okamoto IND-CCA hybrid encryption revisited David Galindo, Sebastr 
a Mart'm, Paz Morillo and Jorge L. Villar Dep. Matenrf atica Aplicada IV. ... 

eprint.iacr.org/2003/107.pdf - Similar pages 

Cryptology ePrint Archive 

Cryptology ePrint Archive: Report 2003/107. Fujisaki-Okamoto IND-CCA hybrid 
encryption revisited. David Galindo and SebastiVa Mart ... 
eprint.iacr.org/2003/107/ - 3k - Cached - S im il a r pages 
[ More results from eprint.iacr.org | 

rppTi Identity Based Encryption 

File Format: Microsoft PowerPoint 97 - View as HTML- 

... Fujisaki-Okamoto: If epk(M) is a one-way encryption scheme, the hybrid scheme 
epkhy(M) = <epk(o;H3(o,M)) ( H4(a) e M> is secure in the Semantic Security ... 

www.cs.huji.ac.il/labs/danss/presentations/IBE.ppt - Similar pages 
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... Generic Conversions for Asymmetric Cryptosystems Tokyo University - November 24th 
2000 - 23 David Pointcheval ENS-CNRS Conversion: FO 99 Conversion: FO 99 ... 



http://www.google.com/search?hl=en&q=F-0+elgamal 



10/7/04 



'vpoogle Search: F-0 elgamal 
www.di.ens.fr/-pointche/Documents/Slides/2000Jokyo.pdf - Similar pa ges 



Page 2 of 2 



Citations: DHAES: An encryption scheme based on the Diffie-Hellman ... 
... DDH A) DHAES [1] (based on the hash Diffie Hellman assumption (HDHA) and the Fujisaki 
Okamoto(FO) scheme [12 ... Why Textbook EIGamal and RSA Encryption are Insecure ... 
citeseer.ist.psu.edu/context/552001/231324 - 14k - Cached - Similar pages 



Goooooooooogle ► 

Result Page: 1 2345678910 Next 



Free! Get the Google Toolbar. Download Now - About Toolbar 




| F-Oe lg ama. H BSBB 

Search within results | Language Tools | Search Tips [ Dissatisfied? Help us improve 

Google Home - Advertising Programs - Business Solutions - About Google 

©2004 Google 



http://www.google.com/search?hl=en&q=F-0+elgamal 



10/7/04 



\ poogle Search: pointcheval encryption scheme Page 1 of 2 

Web Images Groups News Frooqle more » 




pointcheval encryption scheme X^LT^ 



Web Results 11 - 20 of about 3,030 for pointcheval encryption scheme. (0.18 seconds) 

Anand Desai: publications 
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portal. acm.org/citation. cfm?id=996945 - Similar pages 

tPDFi PSEC: Provably Secure Elliptic Curve Encryption Scheme (Submission ... 
File Format: PDF/Adobe Acrobat 

... 284-293 (1997). [3] Bellare, M , Desai, A., Pointcheval, D, and Rogaway, P.: Relations 
Among Notions of Security for Public-Key Encryption Schemes, Proc. ... 
grouper.ieee.org/groups/ 1 363/P1 363a/contributions/psec.pdf - Similar pages 
[ More results from qrouper.ieee.org ] 

[pdf] Imperfect Decryption and an Attack on the NTRU Encryption Scheme 

File Format: PDF/Adobe Acrobat - View as HTML 

... However, when an encryption scheme has im- perfect decryption an attacker may be 
able ... 3 The REACT Transformation In 2000 Okamoto and Pointcheval [16] presented ... 

eprint.iacr.org/2003/002.pdf - Si milar pages 

DBLP: David Pointcheval 

... 8, EE, Mihir Bellare, Anand Desai, David Pointcheval, Phillip Rogaway: Relations 
Among Notions of Security for Public-Key Encryption Schemes. CRYPTO 1998: 26-45 ... 
www.informatik.uni-trier.de/-ley/ db/indices/a-tree/p/Pointcheval:David.html - 34k - Cached - Similar pages 



rPPTi Status of Draft ANSI X9.44 (& More) 
File Format: Microsoft Powerpoint 97 - View as HTML 

... RSA-OAEP. Asymmetric encryption scheme combining RSA with the OAEP encoding method. ... 
RSA-OAEP Encryption. MGF. MGF. ... Fujisaki, Okamoto, Pointcheval, and Stern (2000 ... 
csrc.nist.gov/CryptoToolkit/ kms/ANSI%20X9.44%20Status.ppt - S imil ar pa g es 



http://www.googlexom/search?q=pointcheval+encryption+schem 10/7/04 



Vpoogle Search: pointcheval encryption scheme 



Page 2 of 2 



[pdf] Provable Security in Cryptography — PL-based Systems ECC ... 
File Format:' PDF/Adobe Acrobat - View as HTML 

... Ecole normale supSrieure France Encryption Provable Security in Cryptography - 16 
David Pointcheval Encryption Scheme Encryption Scheme 3 algorithms ... 
www.exp-math.uni-essen.de/ -weng/pointcheval 2002 ecc.pdf- Similar pages 



« Gooooooooooogle ► 

Result Page: Previous 123456789 1011 Next 



| pointcheval encryptio n scheme 1 jjj^f^ 
Search within results I Language Tools I Search Tips 



Google Home - Advertising Programs - Business Solutions - About Google 

©2004 Google 



http://www.googlexom/search?q=po 



10/7/04 




\ Google Search: chosen-ciphertext security for one way cryptosystem Page 1 of 2 

Web Images Groups News Frooqle more » 
I chosen-ciphertext security for one way cryrf ^^^^ 

"for" is a very common word and was not included in your search, [details] 
Web Results 1 -10 of about 3,020 for chosen-ciphertext security for one way cryptosystem. (0.39 seconds 

Chosen-Ciphertext Security for any One-Way Cryptosystem ... 
Chosen-Ciphertext Security for any One-Way Cryptosystem (2000) (Make Corrections) 
(27 citations) David Pointcheval. Public Key Cryptography. ... 

citeseer.ist.psu.edu/pointchevalOOchosenciphertext.htmi - 23k - Cached - Simila r p a g es 

chosen ciphertext security - Research Index document query 

... the random oracle model assuming the eprint.iacr.org/2002/056.ps.gz Chosen-Ciphertext 

Security for any One-Way Cryptosystem - Pointcheval (2000) (Correct) (22 ... 

citeseer.istpsu.edu/cis?submit=Documents& q=Chosen-Ciphertext%20Security - 15k - 

Cached - Similar pages 

[ More results f r o m c it eseer.i st.psu.edu ] 

[pdf] Chosen-Ciphertext Security for any One-Way Cryptosystem 

File Format: PDF/Adobe Acrobat - View as HTML 

... Chosen-Ciphertext Security for any One-Way Cryptosystem David Pointcheval D'ept 
d'lnformatique, ENS - CNRS, 45 rue d'Ulm, 75230 Paris Cedex 05, France. ... 
www.di.ens.fr/-pointche/ Documents/Papers/2000_pkcC-US.pdf - Simi l a r pages 

fppFi PKC ' 2000 

File Format: PDF/Adobe Acrobat - View as HTML 

... Australia David.Pointcheval@ens.fr http://www.di.ens.fr/-pointche Chosen-Ciphertext 
Security for any One-Way Cryptosystem Chosen-Ciphertext Security for any One ... 

www.di.ens.fr/-pointche/Documents/Slides/2000_pkcC.pdf - Similar pages 
[ More resul t s from www .d i.e ns.fr ] 

Chosen-Ciphertext Security for Any One-Way Cryptosystem 

... Search: The ACM Digital Library The Guide. Feedback Report a problem Satisfaction 
survey. Chosen-Ciphertext Security for Any One-Way Cryptosystem. ... 

portal. acm.org/citation.cfm?id=6481 17.746611 - Similar pages 

rppFi The RSA Cryptosystem 

File Format: PDF/Adobe Acrobat - View as HTML 

... Pointcheval-Stern • RSA-OAEP is Chosen Ciphertext Secure ... Security proof less efficient 
than original "proof ... RSA(x || y) => x then RSA is not one-way. ... 

crypto.stanford.edu/-dabo/ courses/cs255_winter03/rsa-lecture.pdf - Similar pages 

[pdf] The RSA one way permutation Textbook RSA is insecure A simple ... 
File Format: PDF/Adobe Acrobat - View as HTML 

... The RSA one-way permutation is not a cryptosystem. ... 2 Page 7 Chosen ciphertext security 

(CCS) No efficient attacker can win the following game: (with non ... 
crypto.stanford.edu/-dabo/ courses/cs255_winter00/RSA.pdf - Similar pages 
[ M o re results from crypto.stanf o rd.edu ] 

Cramer-Shoup 

... D. Pointcheval, 'Chosen-Ciphertext Security for any One-Way Cryptosystem", Practice 
and Theory in Public Key Cryptography - PKC '00 Proceeding, pp. ... 
www.kisa,or.kr/technology/sub1/CS.htm - 10k - Cached - Similar pages 

[pdf] A Practical Public Key Cryptosystem Provablv Secure against ... 
File Format: PDF/Adobe Acrobat - View as HTML 

... a bit more computation, we get security against adaptive ... in- secure against adaptive 
chosen ciphertext attack. ... also requires a universal one-way hash function. ... 



http://w\\w.googlexom/search?^ 10/7/04 



\ Google Search: chosen-ciphertext security for one way cryptosystem 
www.zurich jbmxom/security/ace/cs.pdf - Simi lar pa ges 

Victor Shoup's Research Papers 

... theorem for universal one-way hash functions ... Why chosen ciphertext security matters, 
IBM Research Report RZ ... A practical public key cryptosystem provably secure ... 
www.shoup.net/papers/ - 13k - Oct 5, 2004 - Cached - Similar pages 



Page 2 of 2 



Goooooooooogle^ 

Result Page: 1 2345678910 Next 



Free! Get the Google Toolbar. Download Now - About Toolbar 



chosen-ciphertext security for on^ ^Search 



Search within results [ Language Tools | Search Tips | Dissatisfied? Help us improve 



Google Home - Advertising Programs - Business Solutions - About Google 

©2004 Google 



http://wvw.googlexom/search?hl=en&^ 10/7/04 



."Search Results 

IEEE HOME I SEARCH IEEE I SHOP I W£B ACCOUNT I CONTACT IEEE 



Membership Publications/Services Standards Conferences Careers/Jobs 



Page 1 of 1 

❖IEEE 



IEEE Xplore* 



RELEASE 1.8 



Welcome 

United States Patent and Trademark Office 



Help FAQ Terms IEEE Peer Review jQukk Links 




O-Home 

O What Can 
I Access? 



Tables of Contents 



O- Journals 
& Magazine 

Q- Conference 
Proceedings 

O Standard 



Your search matched 0 of 1076880 documents. 

A maximum of 500 results are displayed, 15 to a page, sorted by Relevance 
Descending order. 

Refine This Search: 

You may refine your search by editing the current search expression or enterii 
new one in the text box. 



[fujisaki okamoto 



Search 



D Check to search within this result set 
Results Key: 

JNL = Journal or Magazine CNF = Conference STD = Standard 



O" By Author 

O Basic Results: 

O Advance* n q documents matched your query. 
Q-CrossRef 



Member Services 



O-Joln IEEE 

O Establish IEEE 
Web Account 

O" Access the 
IEEE Member 
Digital Library 



pEEg:E:nterpriseS 



0- Access the 
IEEE Enterprise 
File Cabinet 

Print FOtfitdt 

Home | Log-out | Journals | Conference Proceedings | Standards | Search by Author | Basic Search | Advanced Search | Join IEEE | Web Account | 
New this week | OPAC Linking Information | Your Feedback | Technical Support | Email Alerting | No Robots Please | Release Notes | IEEE Online 

Publications | Help | FAQ| Terms | Back to Top 



Copyright © 2004 IEEE — All rights reserved 



http://ieeexploreieee.org/searc^ 10/7/04 



.Search Results 

IEEE HOME I SEARCH IEEE I SHOP ( WEB ACCOUNT 1 CONTACT IEEE 



Membership Publications/Services Standards Conferences Careers /Jobs 



Page 1 of l 



IEEE Xplore 



RELEASE 1.8 



Welcome 

United States Patent and Trademark Office 




Help FAQ Terms IEEE Peer Review Quick Links 



» Se. 



O Horns 
O What Can 
I Access? 



Tables of Contents 



0- Journals 
&" — 1 



0- Conference 
Proceedings 



Search 



Q*ByAtrthor 
O Basic 

O" Advanced 

0"CrossRef 



Member Services 



Ojoln IEEE 

OEstaUisli IEEE 
We& Account 

O- Access the 
IEEE Rtomijsr 
Digital Library 



O" Across the 
IEEE Enterprise 
File Cabinet 



Your search matched 2 of 1076880 documents. 

A maximum of 500 results are displayed, 15 to a page, sorted by Relevance 
Descending order. 

Refine This Search: 

You may refine your search by editing the current search expression or enterii 

new one in the text box. 

pointcheval 



□ Check to search within this result set 



Results Key: 

JNL = Journal or Magazine CNF = Conference STD = Standard 



1 Signature scheme based on composite discrete logarithm 

Chik How Tan; Xun Yi; Chee Kheong Siew; 

Information, Communications and Signal Processing, 2003 and the Fourth Pac 
Rim Conference on Multimedia. Proceedings of the 2003 Joint Conference of tl 
Fourth International Conference on , Volume: 3 , 15-18 Dec. 2003 
Pages: 1702 - 1706 vol.3 

[Abstract] l"PDF Full-Text (431 KB)] ieee cnf 

2 On the (In)security of the Fiat-Shamir paradigm 

Goldwasser, S.; Kalai, Y.T.; 

Foundations of Computer Science, 2003. Proceedings. 44th Annual IEEE 
Symposium on , 11-14 Oct. 2003 
Pages: 102 - 113 

fAbstractl [PDF Full-Text (508 KB)1 ieee cnf 



d§J Print format 

Home I Log-out | Journals | Conference Proceedings | Standards | Search by Author | Basic Search | Advanced Search | Join IEEE | Web Account | 
New this week | QPAC Linking Information | Your Feedback | Technical Support | Email Alerting | No Robots Please | Release Notes | IEEE Online 

Publications | Help | FAQ | Terms | Back to Top 



Copyright © 2004 IEEE — All rights reserved 



http://ieeexploreieee.org/search/searchresultjsp?SortField=Score&SortOrder=d 10/7/04 



'^Results (page 1): fujisaki-okamoto 



Page 1 of 1 




Subscribe (Full Service) Register (Limited Service, Free) Login 
Search: ® The ACM Digital Library C The Guide 



US Patent & Trademark Office |fujisaki-okamot°L 



SEARCH 



I* Feedback Report a problem Satisfaction 
survey 



Terms used fujisaki okamoto 



Sort results 
by 

Display 
results 



relevance 



Save results to a Binder 



r — m Search Tips 

[expanded form Ijj n Open results in a new 



Found 2 of 143,484 

Try an Advanced Search 

Try this search in The ACM Guide 



window 



Results 1 - 2 of 2 



Relevance scale UUill 

u 



1 Efficient revocation and threshold pairing based cryptosystems 
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distributed computing 

Full text available: ^ pdf(1.02 MB) Additional Information: full citation , abstract , references , index terms 

Boneh, Ding, Tsudik and Wong recently proposed a way for obtaining fast revocation of RSA 
keys. Their method consists in using security mediators that keep a piece of each user's 
private key in such a way that every decrytion or signature operation requires the help of the 
mediator for the user. Revocation is achieved by instructing the mediator to stop helping the 
user to sign or decrypt messages. This security architecture, called SEM, gave rise to an 
identity based mediated RSA scheme (IB-mRS ... 
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Standard watermarking schemes suffer from a major problem: They require to reveal 
security critical information to potentially untrusted parties, when proving the presence of a 
watermark to these parties. Zero-knowledge watermark detection is a promising means to 
overcome this problem and to improve the security of digital watermarking schemes in the 
context of various applications: it allows to cryptographically conceal the information 
required for the detection of a watermark and to prove the ... 
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21 Security for Web Applications and P2P: Certified email with a light on-line trusted third 
party: design and implementation 

Martin Abadi, Neal Glew 

May 2002 Proceedings of the eleventh international conference on World Wide Web 

Full text available: ^ pdf(189.19 KB) Additional Information: full citation , abstract , citings , index terms • 

This paper presents a new protocol for certified email. The protocol aims to combine 
security, scalability, easy implementation, and viable deployment. The protocol relies on a 
light on-line trusted third party; it can be implemented without any special software for the 
receiver beyond a standard email reader and web browser, and does not require any public- 
key infrastructure. 

22 Password Management and Digital Signatures: Delegation of cryptographic servers for 
ca pture-resilient devices 

Philip MacKenzie, Michael K. Reiter 

November 2001 Proceedings of the 8th ACM conference on Computer and 
Communications Security 

Additional Information: full citation , abstract , references , citings , index 
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Full text available: l g pdf(312.90 KB) 



A device that performs private key operations (signatures or decryptions), and whose 
private key operations are protected by a password, can be immunized against offline 
dictionary attacks in case of capture by forcing the device to confirm a password guess with 
a designated remote server in order to perform a private key operation. Recent proposals 
for achieving this allow untrusted servers and require no server initialization per device. In 
this paper we extend these proposals to enable dynami ... 

23 Group Key Managem ent and Sig natures: Accountable-subgroup multisignatures: 
extended abstract 

Silvio Micali, Kazuo Ohta, Leonid Reyzin 

November 2001 Proceedings of the 8th ACM conference on Computer and 
Communications Security 

Full text available 1 Ijj] pdf(306.24 KB) Additional Information: full citation , abstract , references , citings , index 

terms 

Formal models and security proofs are especially important for multisignatures: in contrast 
to threshold signatures, no precise definitions were ever provided for such schemes, and 
some proposals were subsequently broken. In this paper, we formalize and implement a 
variant of multi-signature schemes, Accountable-Subgroup Multisignatures (ASM). In 
essence, ASM schemes enable any subgroup, S, of a given group, G, of potential signers, to 
sign efficiently a message M so t ... 
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Dario Catalano, Rosario Gennaro, Nick Howgrave-Graham, Phong Q. Nguyen 
November 2001 Proceedings of the 8th ACM conference on Computer and 

Communications Security 

Full text available: ^ pdf(1.55 MB) Additional Information: full citation , abstract , references , index terms 

We re-examine Paillier's cryptosystem, and show that by choosing a particular discrete log 
base g, and by introducing an alternative decryption procedure, we can extend the scheme 
to allow an arbitrary exponent e instead of N. The use of low exponents substantially 
increases the efficiency of the scheme. The semantic security is now based on a new 
decisional assumption, namely the hardness of deciding whether an element is a "small" e- 
th residue modulo N ... 

25 Password Management and Digital Signatures: Twin signatures: an alternative to the 
hash-and-sign paradigm 

David Naccache, David Pointcheval, Jacques Stern 

November 2001 Proceedings of the 8th ACM conference on Computer and 
Communications Security 

Full text available: ^ pdf(4Q2.64 KB) Additional Information: full citation , abstract , references , index terms 

This paper introduces a simple alternative to the hash-and-sign paradigm, from- the security 
point of view but for signing short messages, called twinning. A twin signature is obtained 
by signing twice a short message by a signature scheme. Analysis of the concept in 
different settings yields the following results: 

• We prove that no generic algorithm can efficiently forge a twin DSA signature. 

Although generic algorithms offer a less stringent form of security than computational 
red ... 

Keywords: digital signatures, discrete logarithm, flexible RSA problem, generic 
model, provable security, standard model 
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encryption 

Phillip Rogaway, Mihir Bellare, John Black, Ted Krovetz 

November 2001 Proceedings of the 8th ACM conference on Computer and 
Communications Security 

Full text available: fjg| pdf(285 44 KB) Additional Information: full citation , abstract , references , citings , index 

: terms 

We describe a parallelizable block-cipher mode of operation that simultaneously provides 
privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M &egr; 
{0,1}» using \lceil |M|/n\rceil + 2 block-cipher invocations, where n is the block length of 
the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, 
suggested by Charanjit Jutla. Desirable properties of OCB include: the ability to encrypt a 
bit string of arbitrary length into a ... 

Keywords: AES, authenticity, block ciphers, cryptography, encryption, integrity, modes of 
operation, provable security, standards 
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It is a maxim of sound computer-security practice that a cryptographic key should have 
only a single use. For example, an RSA key pair should be used only, for public-key 
encryption or only for digital signatures, and not for both. In this paper we show that in 
many cases, the simultaneous use of related keys for two cryptosystems, e.g. for a public- 
key encryption system and for a public-key signature system, does not compromise their 
security. We demonstrate this for a variety of public-key encry ... 

28 Group Key Management and Signatures: Provably authenticated group Diffie-Hellman 
key exchange 

Emmanuel Bresson, Olivier Chevassut, David Pointcheval, Jean-Jacques Quisquater 
November 2001 Proceedings of the 8th ACM conference on Computer and 
Communications Security 

Full text available' HI pdf(578 14 KB) Additional Information: full citation , abstract , references , citings , index 



terms 

Group Diffie-Hellman protocols for Authenticated Key Exchange (AKE) are designed to 
provide a pool of players with a shared secret key which may later be used, for example, to 
achieve multicast message integrity. Over the years, several schemes have been offered. 
However, no formal treatment for this cryptographic problem has ever been suggested. In 
this paper, we present a security model for this problem and use it to precisely define AKE 
(with "implicit" authentication) as the fundamental goal ... 

29 Practical multi-candidate election system ' 

Olivier Baudron, Pierre-Alain Fouque, David Pointcheval, Jacques Stern, Guillaume Poupard 
August 2001 Proceedings of the twentieth annual ACM symposium on Principles of 
distributed computing 

Full text available: pdf(898.50 KB) Additional Information: full citation , abstract , references , index terms 

The aim of electronic voting schemes is to provide a set of protocols that allow voters to 
cast ballots while a group of authorities collect the votes and output the final tally. In this 
paper we describe a practical multi-candidate election scheme that guarantees privacy of 
voters, public verifiability, and robustness against a coalition of malicious authorities. 
Furthermore, we address the problem of receipt-freeness and incoercibility of voters. Our 
new scheme is based on the Paillier cryp ... 

30 Fair electronic cash withdrawal and change return for wireless networks 
Robert Tracz, Konrad Wrona 

July 2001 Proceedings of the 1st international workshop on Mobile commerce 

Full text available* Hi df(460 27 KB) Additional Information: full citation , abstract , references , citings, index 

: terms 

We propose a practical mobile electronic cash system that combines macro and 
micropayment mechanisms and offers very high security and user's privacy protection. 
Notably, we have developed an innovative fair withdrawal and change return protocols, 
which are efficient and preclude any fraudulent misbehaviors, while user anonymity and 
transaction unlinkability are preserved. Coins are withdrawn if, and only jf payer's account 
is debited. Change is returned to an anonymous payer, who gets it alw ... 

Keywords: electronic commerce, payment systems, wireless applications 



31 Secure password-based cipher suite for TLS 

May 2001 ACM Transactions on Information and System Security (TISSEC), Volume 4 
Issue 2 

Full text available: fgl pdf(507.57 KB) Additional Information; full citation , abstract , references, citings, index 
. uy-H— s terms , review ' 

SSL is the de facto standard today for securing end-to-end transport on the Internet. While 
the protocol itself seems rather secure, there are a number of risks that lurk in its use, for 
example, in web banking. However, the adoption of password-based key-exchange 
protocols can overcome some of these problems. We propose the integration of such a 
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protocol (DH-EKE) in the TLS protocol, the standardization of SSL by IETF. The resulting 
protocol provides secure mutual authentication and key establi ... 

Keywords: Authenticated key exchange, dictionary attack, key agreement, password, 
perfect forward secrecy, secure channel, transport layer security, weak secret 



32 Composition and integrity preservation of secure reactive systems 
Birgit Pfitzmann, Michael Waidner 

November 2000 Proceedings of the 7th ACM conference on Computer and 
communications security 

Full text available: ^ pdf(542.46 KB) Additional Information: full citation , references , citings , index terms 
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33 Si gnature schemes based on the strong RSA assumption 
Ronald Cramer, Victor Shoup 

August 2000 ACM Transactions on Information and System Security (TISSEC), volume 3 
Issue 3 

Full text available* f8*l pdf(168 52 KB) Additional Information: full citation , abstract , references , citings , index 
* : terms , review 

We describe and analyze a new digital signature scheme. The new scheme is quite efficient, 
does not require the signer to maintain any state, and can be proven secure against 
adaptive chosen message attack under a reasonable intractability assumption, the so-called 
strong RSA assumption. Moreover, a hash function can be incorporated into the scheme in 
such a way that it is also secure in the random oracle model under the standard RSA 
assumption. 

Keywords: RSA, digital signatures, provable security 



34 Efficient verifiable encryption (and fair exchange) of digital signatures 
Giuseppe Ateniese 

November 1999 Proceedings of the 6th ACM conference on Computer and 
communications security 

Full text available* ^ pdf(781 40 KB) Additional Information: full citation , abstract , references , citings , index 

A fair exchange protocol allows two users to exchange items so that either each user gets 
the other's item or neither user does. In [2], verifiable encryption is introduced as a 
primitive that can be used to build extremely efficient fair exchange protocols where the 
items exchanged represent digital signatures. Such protocols may be used to digitally sign 
contracts.This paper presents new simple schemes for verifiable encryption of digital 
signatures. We make us ... 

Keywords: contract signing problem, digital signatures, fair exchange, proof of knowledge, 
public-key cryptography, verifiable encryption 



35 Public-key cryptography and password protocols: the multi-user case 
Maurizio Kliban Boyarsky 

November 1999 Proceedings of the 6th ACM conference on Computer and 
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Full text available: fBpdf(1.00 MB) Additional Information: full citation , abstract, references , citings, index 
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The problem of password authentication over an insecure network when the user holds only 
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a human-memorizable password has received much attention in the literature. The first 
rigorous treatment was provided by Halevi and Krawczyk, who studied off-line password 
guessing attacks in the scenario in which the authentication server possesses a pair of 
private and public keys. In this work we: Show the inadequacy of both the HK formalization 
and protocol in the ... 

36 Privacy preserving auctions and mechanism design 
Moni Naor, Benny Pinkas, Reuban Sumner 

November 1999 Proceedings of the 1st ACM conference on Electronic commerce 

Full text available: ^ pdf(278.36 KB) Additional Information: full citation , references , citings , index terms 




37 Unlinkable serial transactions: protocols and applications 
Stuart G. Stubblebine, Paul F. Syverson, David M. Goldschlag 

November 1999 ACM Transactions on Information and System Security (TISSEC), Volume 
2 Issue 4 

Full text available* S pdf(184 87 KB) Additional Information: full citation , abstract , references , citings , index 
f^-^--* : terms , review 

We present a protocol for unlinkable serial transactions suitable for a variety of network- 
based subscription services. It is the first protocol to use cryptographic blinding to enable 
subscription services. The protocol prevents the service from tracking the behavior of its 
customers, while protecting the service vendor from abuse due to simultaneous or cloned 
use by a single subscriber. Our basic protocol structure and recovery protocol are robust 
against failure in protocol termination. ... 

Keywords: anoymity, blinding, cryptographic protocols, unlinkable serial transactions 



38 On the fly signatures based on factoring | 
Guillaume Poupard, Jacques Stern 

November 1999 Proceedings of the 6th ACM conference on Computer and 
communications security 

Full text available: ^ pdf(786.71 KB) Additional Information: full citation , abstract , references , index terms 

In response to the current need for fast, secure and cheap public-key cryptography largely 
induced by the fast development of electronic commerce, we propose a new on the fly 
signature scheme, i.e. a scheme that requires very small on-line work for the signer It 
combines provable security based on the factorization problem, short public and secret 
keys, short transmission and minimal on-line computation. It is the first RSA-like signature 
scheme that can be used for both ef ... 

39 Public-key cry ptog raphy and password protocols | 
Shai Halevi, Hugo Krawczyk 

August 1999 ACM Transactions on Information and System Security (TISSEC), volume 2 
Issue 3 

Full text available- « pc jf(275 84 KB) Additional Information: full citation , abstract , references , citings, index 

terms , review 

We study protocols for strong authentication and key exchange in asymmetric scenarios 
where the authentication server possesses ~a pair of private and public keys while the 
client has only a weak human-memorizable password as its authentication key. We present 
and analyze several simple password authentication protocols in this scenario, and show 
that the security of these protocols can be formally proven based on standard cryptographic 
assumptions. Remarkably, our analysis shows optimal re ... 

Keywords: dictionary attacks, hand-held certificates, key exchange, passwords, public 
passwords, public-key protocols 
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